coverme-scanner 1.3.0 → 1.3.2

package/commands/scan.md

@@ -1,317 +0,0 @@
-# Vibecode Tracker - Multi-Agent Code Scanner
-
-Run a comprehensive code analysis using 11 AI agents with cross-validation.
-
-$ARGUMENTS
-
-## Execution Flow
-
-You will orchestrate a multi-phase code scan. Follow each phase exactly.
-
----
-
-## PHASE 0: Context Discovery (REQUIRED FIRST)
-
-Before ANY scanning, understand the project:
-
-**Launch ONE agent with Task tool (subagent_type="Explore"):**
-
-```
-Understand this codebase thoroughly.
-
-1. Find and read ALL documentation:
-   - README.md, CLAUDE.md, .claude/CLAUDE.md
-   - docs/*.md, ARCHITECTURE.md, SECURITY.md
-
-2. Identify tech stack from:
-   - package.json (Node.js)
-   - requirements.txt (Python)
-   - go.mod, Cargo.toml, etc.
-
-3. Map the architecture:
-   - Entry points (routes, controllers)
-   - Middleware and auth
-   - Database access patterns
-   - External service integrations
-
-4. Note security-relevant components:
-   - Auth system used
-   - Encryption implementations
-   - File handling
-   - User input processing
-
-Output a structured JSON summary of the project context.
-```
-
-**Wait for this agent to complete before proceeding.**
-
----
-
-## PHASE 1: Discovery Scan (5 Agents in Parallel)
-
-Launch ALL 5 agents simultaneously using parallel Task tool calls:
-
-### Agent 1: Security Scanner
-```
-You are a security researcher. Scan this codebase for vulnerabilities.
-
-PROJECT CONTEXT: {paste context from Phase 0}
-
-Check for:
-- SQL/NoSQL injection, XSS, Command injection
-- Authentication/Authorization flaws
-- Cryptography issues, hardcoded secrets
-- SSRF, Path traversal, File upload issues
-- Rate limiting, Session management
-
-For EACH finding output JSON:
-{
-  "id": "SEC-001",
-  "title": "...",
-  "severity": "critical|high|medium|low",
-  "file": "path/to/file.js",
-  "line": 123,
-  "code": "vulnerable code snippet",
-  "description": "What's wrong",
-  "exploit": "How to exploit",
-  "recommendation": "How to fix",
-  "evidence": ["data flow proof"]
-}
-
-Be thorough. Check EVERY file.
-```
-
-### Agent 2: Quality Analyzer
-```
-You are a code quality expert. Scan for quality issues.
-
-PROJECT CONTEXT: {paste context from Phase 0}
-
-Check for:
-- DRY violations (duplicated code)
-- High complexity functions
-- Dead code, unused imports
-- Error handling issues
-- Type safety problems
-- Anti-patterns
-
-Output findings as JSON with "QUAL-XXX" IDs.
-```
-
-### Agent 3: Architecture Reviewer
-```
-You are a software architect. Review the codebase structure.
-
-PROJECT CONTEXT: {paste context from Phase 0}
-
-Check for:
-- Layer violations
-- Circular dependencies
-- Missing abstractions
-- Component coupling
-- API design issues
-- Configuration problems
-
-Output findings as JSON with "ARCH-XXX" IDs.
-```
-
-### Agent 4: Dependency Auditor
-```
-You are a dependency security expert. Audit all dependencies.
-
-PROJECT CONTEXT: {paste context from Phase 0}
-
-Check for:
-- CVEs in dependencies
-- Outdated packages
-- License compliance
-- Unused dependencies
-- Supply chain risks
-
-Output findings as JSON with "DEPS-XXX" IDs.
-```
-
-### Agent 5: Performance Hunter
-```
-You are a performance engineer. Find performance issues.
-
-PROJECT CONTEXT: {paste context from Phase 0}
-
-Check for:
-- N+1 query patterns
-- Memory leaks
-- Blocking operations
-- Missing caching
-- Inefficient algorithms
-
-Output findings as JSON with "PERF-XXX" IDs.
-```
-
-**Wait for ALL 5 agents to complete before proceeding.**
-
----
-
-## PHASE 2: Cross-Validation (3 Agents in Parallel)
-
-Collect ALL findings from Phase 1, then launch 3 validators:
-
-### Validator A: False Positive Hunter
-```
-Review all findings from Phase 1 for FALSE POSITIVES.
-
-FINDINGS TO VALIDATE:
-{paste all findings from Phase 1}
-
-For each finding:
-1. Read the actual code
-2. Check for mitigating controls
-3. Verify the issue is real
-
-Output:
-{
-  "confirmed": ["SEC-001", "QUAL-003", ...],
-  "falsePositives": [
-    {"id": "SEC-002", "reason": "Input is sanitized at line X"}
-  ]
-}
-```
-
-### Validator B: Evidence Challenger
-```
-Challenge every HIGH and CRITICAL finding.
-
-FINDINGS TO VALIDATE:
-{paste HIGH/CRITICAL findings only}
-
-For each finding:
-1. Read the full code context
-2. Trace the data flow
-3. Attempt to construct an exploit
-4. Determine if truly exploitable
-
-Output same format as Validator A.
-```
-
-### Validator C: Missing Issues Hunter
-```
-Look for issues that Phase 1 agents MISSED.
-
-EXISTING FINDINGS:
-{paste all findings}
-
-Search for:
-- Business logic flaws
-- Race conditions
-- Edge cases
-- Integration vulnerabilities
-- Combination attacks
-
-Output:
-{
-  "missedIssues": [
-    {full finding object with new ID}
-  ]
-}
-```
-
-**Wait for ALL 3 validators to complete.**
-
----
-
-## PHASE 3: Deep Dive (If Needed)
-
-For any finding where Validator A and B disagree, launch a Deep Dive agent:
-
-```
-DISPUTED FINDING:
-{finding details}
-
-VALIDATOR A SAYS: {verdict}
-VALIDATOR B SAYS: {verdict}
-
-Perform exhaustive analysis:
-1. Read ALL relevant code
-2. Trace complete data flow
-3. Check all mitigating controls
-4. Determine the TRUE status
-
-Output your final verdict with detailed evidence.
-```
-
----
-
-## PHASE 4: Build Consensus
-
-Now aggregate all results:
-
-1. **Merge duplicates** - Same issue from multiple agents
-2. **Calculate confidence**:
-   - Each validator confirmation: +15%
-   - Each false_positive vote: -20%
-   - Deep dive confirmation: +25%
-3. **Filter**: Remove findings with <50% confidence
-4. **Sort**: By severity, then confidence
-
----
-
-## PHASE 5: Generate Report
-
-Create a professional PDF report:
-
-### Structure:
-1. **Cover Page** - Project name, date, finding counts
-2. **Executive Summary** - One page for leadership
-3. **Scan Overview** - Files scanned, duration, methodology
-4. **Critical Issues** - Full detail with code and fixes
-5. **High Issues** - Full detail
-6. **Medium Issues** - Summarized table
-7. **Low Issues** - List only
-8. **Positive Observations** - Good patterns found
-9. **Recommendations** - Prioritized action items
-
-### Generate Report:
-
-Use the report generator prompt to create the Markdown content, then convert to PDF:
-
-```bash
-npx md-to-pdf vibecode-report.md
-```
-
-Or use the Read tool to save directly as PDF if available.
-
----
-
-## Output
-
-Save the final report as:
-```
-vibecode-report-{YYYY-MM-DD}.pdf
-```
-
-Also save the raw findings as:
-```
-vibecode-findings-{YYYY-MM-DD}.json
-```
-
----
-
-## Quick Options
-
-If the user specifies options:
-
-- `/scan security` - Only run Security Scanner + validators
-- `/scan quality` - Only run Quality Analyzer + validators
-- `/scan --quick` - Skip validation phase (faster, less accurate)
-- `/scan --json` - Output JSON only, no PDF
-
----
-
-## Important Notes
-
-1. **Always run Phase 0 first** - Context is critical
-2. **Use parallel Task calls** - Faster execution
-3. **Wait between phases** - Each phase needs previous results
-4. **Be thorough** - Better to find more and filter than miss issues
-5. **Include positives** - Good patterns are important too
-
-BEGIN SCAN NOW.

package/src/cli/index.ts

@@ -1,251 +0,0 @@
-#!/usr/bin/env node
-
-import { Command } from 'commander';
-import { init } from './init.js';
-import { scan } from './scan.js';
-import { generateReport } from '../report/index.js';
-import { readFileSync, writeFileSync, existsSync, mkdirSync, copyFileSync } from 'fs';
-import { join } from 'path';
-
-const pkg = JSON.parse(readFileSync(join(__dirname, '..', '..', 'package.json'), 'utf-8'));
-
-const program = new Command();
-
-program
-  .name('coverme')
-  .description('AI-powered code scanner with multi-agent verification for Claude Code')
-  .version(pkg.version);
-
-program
-  .command('init')
-  .description('Install vibecode slash commands into .claude/commands/')
-  .option('-g, --global', 'Install globally to ~/.claude/commands/')
-  .action(init);
-
-program
-  .command('scan')
-  .description('Scan codebase with multi-agent AI verification')
-  .argument('[path]', 'Path to scan', '.')
-  .option('-o, --output <format>', 'Output format: json, pdf, md, html', 'pdf')
-  .option('-O, --output-path <path>', 'Output file path')
-  .option('-c, --categories <cats>', 'Categories to scan: security,quality,arch,deps,perf', 'all')
-  .option('-s, --severity <level>', 'Minimum severity: critical,high,medium,low,info', 'low')
-  .option('-v, --verbose', 'Verbose output')
-  .option('-p, --parallel <num>', 'Number of parallel agents', '5')
-  .action(scan);
-
-program
-  .command('report')
-  .description('Generate PDF/HTML report from scan JSON')
-  .argument('<json-file>', 'Path to scan results JSON file')
-  .option('-o, --output <path>', 'Output file path')
-  .option('-f, --format <format>', 'Output format: pdf, html', 'pdf')
-  .action(async (jsonFile: string, options: { output?: string; format?: 'pdf' | 'html' }) => {
-    await generateReport(jsonFile, options.output, options.format || 'pdf');
-  });
-
-// Agent management commands
-const agentCmd = program
-  .command('agent')
-  .description('Manage custom agents');
-
-agentCmd
-  .command('add')
-  .description('Add a new custom agent')
-  .argument('<name>', 'Agent name (e.g., "John")')
-  .argument('<task>', 'What the agent should do')
-  .action((name: string, task: string) => {
-    const covermeDir = join(process.cwd(), '.coverme');
-    const agentsPath = join(covermeDir, 'agents.json');
-
-    if (!existsSync(covermeDir)) {
-      mkdirSync(covermeDir, { recursive: true });
-    }
-
-    let agents: any = { agents: [] };
-    if (existsSync(agentsPath)) {
-      agents = JSON.parse(readFileSync(agentsPath, 'utf-8'));
-      if (!agents.agents) agents.agents = [];
-    }
-
-    agents.agents.push({ name, task });
-    writeFileSync(agentsPath, JSON.stringify(agents, null, 2));
-    console.log(`Added agent "${name}"`);
-    console.log(`Task: ${task}`);
-  });
-
-agentCmd
-  .command('list')
-  .description('List all custom agents')
-  .action(() => {
-    const agentsPath = join(process.cwd(), '.coverme', 'agents.json');
-    if (!existsSync(agentsPath)) {
-      console.log('No custom agents. Add one with: coverme agent add "John" "Check .env files for secrets"');
-      return;
-    }
-
-    const agents = JSON.parse(readFileSync(agentsPath, 'utf-8'));
-    if (!agents.agents || agents.agents.length === 0) {
-      console.log('No custom agents. Add one with: coverme agent add "John" "Check .env files for secrets"');
-      return;
-    }
-
-    console.log('\nCustom Agents:\n');
-    agents.agents.forEach((agent: any, i: number) => {
-      console.log(`  ${i + 1}. ${agent.name}`);
-      console.log(`     Task: ${agent.task}`);
-      console.log('');
-    });
-  });
-
-agentCmd
-  .command('remove')
-  .description('Remove a custom agent')
-  .argument('<name>', 'Agent name to remove')
-  .action((name: string) => {
-    const agentsPath = join(process.cwd(), '.coverme', 'agents.json');
-    if (!existsSync(agentsPath)) {
-      console.error('No agents.json found');
-      return;
-    }
-
-    const agents = JSON.parse(readFileSync(agentsPath, 'utf-8'));
-    const idx = agents.agents.findIndex((a: any) => a.name.toLowerCase() === name.toLowerCase());
-    if (idx === -1) {
-      console.error(`Agent "${name}" not found`);
-      return;
-    }
-
-    const removed = agents.agents.splice(idx, 1)[0];
-    writeFileSync(agentsPath, JSON.stringify(agents, null, 2));
-    console.log(`Removed agent "${removed.name}"`);
-  });
-
-// Runtime verification commands
-const verifyCmd = program
-  .command('verify')
-  .description('Verify runtime environment matches code expectations');
-
-verifyCmd
-  .command('setup')
-  .description('Configure SSH access for runtime verification')
-  .option('-h, --host <host>', 'SSH host (e.g., user@server.com)')
-  .option('-p, --port <port>', 'SSH port', '22')
-  .option('-k, --key <path>', 'Path to SSH private key')
-  .option('-n, --name <name>', 'Environment name (e.g., production, staging)')
-  .action((options: { host?: string; port?: string; key?: string; name?: string }) => {
-    const covermeDir = join(process.cwd(), '.coverme');
-    const configPath = join(covermeDir, 'runtime.json');
-
-    if (!existsSync(covermeDir)) {
-      mkdirSync(covermeDir, { recursive: true });
-    }
-
-    let config: any = { environments: [] };
-    if (existsSync(configPath)) {
-      config = JSON.parse(readFileSync(configPath, 'utf-8'));
-      if (!config.environments) config.environments = [];
-    }
-
-    if (!options.host) {
-      console.log('\nRuntime Verification Setup');
-      console.log('==========================\n');
-      console.log('This feature allows CoverMe to SSH into your servers and compare');
-      console.log('the actual runtime environment against your code configuration.\n');
-      console.log('Usage:');
-      console.log('  coverme verify setup --host user@server.com --name production');
-      console.log('  coverme verify setup --host deploy@staging.example.com --key ~/.ssh/id_rsa --name staging\n');
-      console.log('Options:');
-      console.log('  -h, --host <host>  SSH host (required)');
-      console.log('  -n, --name <name>  Environment name (default: from host)');
-      console.log('  -p, --port <port>  SSH port (default: 22)');
-      console.log('  -k, --key <path>   Path to SSH private key\n');
-
-      if (config.environments.length > 0) {
-        console.log('Configured environments:');
-        config.environments.forEach((env: any, i: number) => {
-          console.log(`  ${i + 1}. ${env.name}: ${env.host}:${env.port}`);
-        });
-      }
-      return;
-    }
-
-    const envName = options.name || options.host.split('@')[1]?.split('.')[0] || 'default';
-
-    // Remove existing with same name
-    config.environments = config.environments.filter((e: any) => e.name !== envName);
-
-    config.environments.push({
-      name: envName,
-      host: options.host,
-      port: parseInt(options.port || '22'),
-      keyPath: options.key || null,
-      addedAt: new Date().toISOString()
-    });
-
-    writeFileSync(configPath, JSON.stringify(config, null, 2));
-    console.log(`\nAdded environment "${envName}"`);
-    console.log(`  Host: ${options.host}`);
-    console.log(`  Port: ${options.port || '22'}`);
-    if (options.key) console.log(`  Key: ${options.key}`);
-    console.log('\nRun verification with:');
-    console.log(`  /coverme-verify ${envName}`);
-    console.log('\nOr in Claude Code:');
-    console.log(`  /coverme --verify ${envName}`);
-  });
-
-verifyCmd
-  .command('list')
-  .description('List configured environments')
-  .action(() => {
-    const configPath = join(process.cwd(), '.coverme', 'runtime.json');
-
-    if (!existsSync(configPath)) {
-      console.log('No environments configured.');
-      console.log('Run: coverme verify setup --host user@server.com --name production');
-      return;
-    }
-
-    const config = JSON.parse(readFileSync(configPath, 'utf-8'));
-
-    if (!config.environments || config.environments.length === 0) {
-      console.log('No environments configured.');
-      return;
-    }
-
-    console.log('\nConfigured Environments:\n');
-    config.environments.forEach((env: any, i: number) => {
-      console.log(`  ${i + 1}. ${env.name}`);
-      console.log(`     Host: ${env.host}:${env.port}`);
-      if (env.keyPath) console.log(`     Key: ${env.keyPath}`);
-      console.log(`     Added: ${new Date(env.addedAt).toLocaleDateString()}`);
-      console.log('');
-    });
-  });
-
-verifyCmd
-  .command('remove')
-  .description('Remove an environment')
-  .argument('<name>', 'Environment name')
-  .action((name: string) => {
-    const configPath = join(process.cwd(), '.coverme', 'runtime.json');
-
-    if (!existsSync(configPath)) {
-      console.error('No environments configured.');
-      return;
-    }
-
-    const config = JSON.parse(readFileSync(configPath, 'utf-8'));
-    const idx = config.environments.findIndex((e: any) => e.name.toLowerCase() === name.toLowerCase());
-
-    if (idx === -1) {
-      console.error(`Environment "${name}" not found`);
-      return;
-    }
-
-    const removed = config.environments.splice(idx, 1)[0];
-    writeFileSync(configPath, JSON.stringify(config, null, 2));
-    console.log(`Removed environment "${removed.name}"`);
-  });
-
-program.parse();